Trusted platform module protection for non-volatile memory express (NVMe) recovery

ABSTRACT

An information handling system is configured to support first and second boot sequences, which invokes first and second bootloaders respectively. The bootloaders may be stored in an NVMe storage boot partition. Each bootloader may be associated with a corresponding encryption key generated by a trusted platform module, which may seal the first and second keys in accordance with one or more measurements taken during the respective boot sequences. The system determines whether a boot sequence in progress comprises is to invoke the first or second bootloader. The system then unseals the appropriate encryption key to access the appropriate bootloader. The first bootloader may be a host OS bootloader and the second bootloader may be for a recovery resource invoked when the host OS fails to load. The recovery resource may enables BIOS to connect to a remote store and download an image via a HTTP mechanism.

TECHNICAL FIELD

The present disclosure relates to information handling systems and, morespecifically, recovering a faulty information handling.

BACKGROUND

As the value and use of information continues to increase, individualsand businesses seek additional ways to process and store information.One option available to users is information handling systems. Aninformation handling system generally processes, compiles, stores,and/or communicates information or data for business, personal, or otherpurposes thereby allowing users to take advantage of the value of theinformation. Because technology and information handling needs andrequirements vary between different users or applications, informationhandling systems may also vary regarding what information is handled,how the information is handled, how much information is processed,stored, or communicated, and how quickly and efficiently the informationmay be processed, stored, or communicated. The variations in informationhandling systems allow for information handling systems to be general orconfigured for a specific user or specific use such as financialtransaction processing, airline reservations, enterprise data storage,or global communications. In addition, information handling systems mayinclude a variety of hardware and software components that may beconfigured to process, store, and communicate information and mayinclude one or more computer systems, data storage systems, andnetworking systems.

When an information handling system is reset, the system typicallyexecutes firmware that performs a boot process to initialize varioussystem components and interfaces, load an operating system, and performvarious other actions to configure the system into a known and initialstate. Historically, basic input/output system (BIOS) was the de factostandard for boot process firmware. More recently, firmware compliantwith the unified extensible firmware interface (UEFI) specification hasevolved to address various limitations inherent in BIOS.

A UEFI-compliant boot process may define a boot manager that checks theboot configuration and, based on its settings, executes the specified OSboot loader. However, if a system is unable to boot to the operatingsystem after repeated attempts and a pre-boot system performance checkdetects no hardware issues, it may be desirable to provide a method forrecovering the operating system.

SUMMARY

In accordance with teachings disclosed herein, common problemsassociated with conventional boot loaders and system recovery tools areaddressed by methods and systems for booting a recovery resource fromprotected regions of a non-volatile memory express (NVMe) storagedevice.

Disclosed methods may define a protected region of an NVMe storagedevice as a boot partition that stores a bootloader for a recoveryresource that enables BIOS to establish a network connection (e.g., viaHTTP) to a remote store and download an image, such as a diagnostic OSimage. An authentication key may be associated with the boot partitionand used to ensure that operations attempting to write to the bootpartition originate from an authorized entity. The authentication keymay be implemented as a replay protected media block (RPMB)authentication key to detect unauthorized writes to the boot partition.However, because RPMB authentication keys do not support readprotection, additional measures are necessary to protect certaininformation, including information used for establishing recoverytunnels to trusted servers.

In at least one embodiment, the write protection necessary to deterunauthorized access to boot partition code and the read protectionnecessary to deter discovery of boot partition data are both achievedwith a trusted platform module and, more specifically, by encryptingrecovery resource secrets and the RPMC authentication keys using one ormore TPM keys. The TPM keys may be sealed to the measured state of theplatform as indicated by the TPM's platform configuration registers(PCRs) at specified points in the boot sequence. In at least oneembodiment, the TPM key(s) may be tied to the measured platform state atthe point when the recovery resource is invoked. Measurements unique tothe recovery resource may be sent to the TPM both before and afteraccess to ensure that keys can only be utilized at the exact momentneeded for the recovery resource. In at least one embodiment, one orboth of the bootloaders is configured to validate values stored in oneor more TPM PCRs as part of the bootloader execution flow.

Technical advantages of the present disclosure may be readily apparentto one skilled in the art from the figures, description and claimsincluded herein. The objects and advantages of the embodiments will berealized and achieved at least by the elements, features, andcombinations particularly pointed out in the claims.

It is to be understood that both the foregoing general description andthe following detailed description are examples and explanatory and arenot restrictive of the claims set forth in this disclosure.

BRIEF DESCRIPTION OF THE DRAWINGS

A more complete understanding of the present embodiments and advantagesthereof may be acquired by referring to the following description takenin conjunction with the accompanying drawings, in which like referencenumbers indicate like features, and wherein:

FIG. 1 is a block diagram of an information handling system inaccordance with disclosed subject matter; and

FIG. 2 illustrates a secure method for invoking a resource recovery bootloader.

DETAILED DESCRIPTION

Exemplary embodiments and their advantages are best understood byreference to FIGS. 1-2 , wherein like numbers are used to indicate likeand corresponding parts unless expressly indicated otherwise.

For the purposes of this disclosure, an information handling system mayinclude any instrumentality or aggregate of instrumentalities operableto compute, classify, process, transmit, receive, retrieve, originate,switch, store, display, manifest, detect, record, reproduce, handle, orutilize any form of information, intelligence, or data for business,scientific, control, entertainment, or other purposes. For example, aninformation handling system may be a personal computer, a personaldigital assistant (PDA), a consumer electronic device, a network storagedevice, or any other suitable device and may vary in size, shape,performance, functionality, and price. The information handling systemmay include memory, one or more processing resources such as a centralprocessing unit (“CPU”), microcontroller, or hardware or softwarecontrol logic. Additional components of the information handling systemmay include one or more storage devices, one or more communicationsports for communicating with external devices as well as variousinput/output (“I/O”) devices, such as a keyboard, a mouse, and a videodisplay. The information handling system may also include one or morebuses operable to transmit communication between the various hardwarecomponents.

Additionally, an information handling system may include firmware forcontrolling and/or communicating with, for example, hard drives, networkcircuitry, memory devices, I/O devices, and other peripheral devices.For example, the hypervisor and/or other components may comprisefirmware. As used in this disclosure, firmware includes softwareembedded in an information handling system component used to performpredefined tasks. Firmware is commonly stored in non-volatile memory, ormemory that does not lose stored data upon the loss of power. In certainembodiments, firmware associated with an information handling systemcomponent is stored in non-volatile memory that is accessible to one ormore information handling system components. In the same or alternativeembodiments, firmware associated with an information handling systemcomponent is stored in non-volatile memory that is dedicated to andcomprises part of that component.

For the purposes of this disclosure, computer-readable media may includeany instrumentality or aggregation of instrumentalities that may retaindata and/or instructions for a period of time. Computer-readable mediamay include, without limitation, storage media such as a direct accessstorage device (e.g., a hard disk drive or floppy disk), a sequentialaccess storage device (e.g., a tape disk drive), compact disk, CD-ROM,DVD, random access memory (RAM), read-only memory (ROM), electricallyerasable programmable read-only memory (EEPROM), and/or flash memory; aswell as communications media such as wires, optical fibers, microwaves,radio waves, and other electromagnetic and/or optical carriers; and/orany combination of the foregoing.

For the purposes of this disclosure, information handling resources maybroadly refer to any component system, device or apparatus of aninformation handling system, including without limitation processors,service processors, basic input/output systems (BIOSs), buses, memories,I/O devices and/or interfaces, storage resources, network interfaces,motherboards, and/or any other components and/or elements of aninformation handling system.

In the following description, details are set forth by way of example tofacilitate discussion of the disclosed subject matter. It should beapparent to a person of ordinary skill in the field, however, that thedisclosed embodiments are exemplary and not exhaustive of all possibleembodiments.

Throughout this disclosure, a hyphenated form of a reference numeralrefers to a specific instance of an element and the un-hyphenated formof the reference numeral refers to the element generically. Thus, forexample, “device 12-1” refers to an instance of a device class, whichmay be referred to collectively as “devices 12” and any one of which maybe referred to generically as “a device 12”.

As used herein, when two or more elements are referred to as “coupled”to one another, such term indicates that such two or more elements arein electronic communication, mechanical communication, including thermaland fluidic communication, thermal, communication or mechanicalcommunication, as applicable, whether connected indirectly or directly,with or without intervening elements.

FIG. 1 is a block diagram of an exemplary information handling system100 (e.g., a desktop computer, laptop computer, tablet computer, server,Internet of Things (IoT) device, etc.) as it may be configured accordingto one embodiment of the present disclosure. As shown in FIG. 1 , IHS100 may generally include at least one central processing unit (CPU) 110(e.g., a host processor), a system memory 120, a graphics processor unit(GPU) 130, a display device 140, a platform controller hub (PCH) 150,BIOS flash 154 containing BIOS firmware 155, a trusted platform module156, a non-volatile memory express (NVMe) storage resource 160, acomputer readable storage device 170, a network interface card (NIC)180, and an embedded controller (EC) 190.

System memory 120 is coupled to CPU 110 and generally configured tostore program instructions (or computer program code), which areexecutable by CPU 110. System memory 120 may be implemented using anysuitable memory technology, including but not limited to, dynamic randomaccess memory or any other suitable type of memory. Graphics processorunit (GPU) 130 is coupled to CPU 110 and configured to coordinatecommunication between the host processor and one or more displaycomponents of the IHS. In the embodiment shown in FIG. 1 , GPU 130 iscoupled to display device 140 and configured to provide visual images(e.g., a graphical user interface, messages and/or user prompts) to theuser.

Platform controller hub (PCH) 150 is coupled to CPU 110 and configuredto handle I/O operations for the IHS. As such, PCH 150 may include avariety of communication interfaces and ports for communicating withvarious system components, input/output (I/O) devices, expansionbus(es), and so forth. The PCH 150 illustrated in FIG. 1 interfaces witha serial peripheral interface (SPI) bus 152, to which a BIOS flash 154,containing BIOS firmware 155, and a trusted platform module 156 arecoupled. TPM is a secure cryptoprocessor for securing system resourcesvia cryptographic keys. TPM 156 may include a cryptographic processorthat includes a random number generator, an asymmetric key generator, asecure hash generator, and a digital signature module. TPM may furtherinclude storage resources for storing various keys and platformconfiguration registers (PCRs).

PCH 150 is further coupled to an NVMe storage resource 160. NVMe storageresource 160 may include a NAND flash solid state drive (SSD) configuredwith a PCIe interface for coupling to a PCIe bus. The NVMe 160illustrated in FIG. 1 has been configured with a boot partition 162. Theboot partition 162 illustrated in FIG. 1 includes a pair of bootloaderobjects. The bootloader objects illustrated in FIG. 1 include a host OSbootloader 163-1 and a recovery resource bootloader 163-2.

In at least one embodiment, recovery resource bootloader 163-2 comprisesa resource, such as the BIOSConnect resource from Dell Products, whichenables a user to recover when the local host OS image is corrupted,replaced, or absent by enabling BIOS to connect to a backend store andto load an image via https method.

Storage device 170 may be any type of persistent, non-transitorycomputer readable storage device, including non-PCIe storage devices,such as one or more hard disk drives (HDDs) or solid-state drives(SSDs), and may be generally configured to store software and/or data.For example, computer readable storage device 170 may be configured tostore an operating system (OS) 171 for the IHS, in addition to othersoftware and/or firmware modules and user data. As known in the art, OS171 may contain program instructions (or computer program code), whichmay be executed by CPU 110 to perform various tasks and functions forthe information handling system and/or for the user.

NIC 180 enables IHS 100 to communicate with one or more remotely locatedsystems and/or services 184 via an external network 182 using one ormore communication protocols. Network 182 may be a local area network(LAN), wide area network (WAN), personal area network (PAN), or thelike, and the connection to and/or between IHS 100 and network 182 maybe wired, wireless or a combination thereof. For purposes of thisdiscussion, network 182 is indicated as a single collective componentfor simplicity. However, it is appreciated that network 182 may compriseone or more direct connections to other remote systems and/or services,as well as a more complex set of interconnections as can exist within awide area network, such as the Internet. NIC 180 may communicate dataand signals to/from IHS 100 using any known communication protocol.

Embedded controller (EC) 190 is generally configured to boot theinformation handling system and perform other functions. EC 190 maygenerally include read only memory (ROM), random access memory (RAM) anda processing device (e.g., a controller, microcontroller,microprocessor, ASIC, etc.) for executing program instructions storedwithin its internal ROM and RAM. For example, EC 190 may be configuredto execute program instructions (e.g., a boot block) stored within itsinternal ROM to initiate a boot process for the information handlingsystem.

Referring now to FIG. 2 , an exemplary boot sequence is represented inflow diagram format to illustrate features of disclosed subject matter.The boot sequence 200 illustrated in FIG. 2 includes one or morecomponents of an industry standard UEFI BIOS boot sequence including asecurity (SEC) phase 202, a Pre-EFI initialization (PEI) phase 206, adriver execution environment (DXE) phase 208, and a boot device select(BDS) phase 212. One or more conventional BIOS runtime measurements 220may be taken before, during, or after any of these stages using TPM 156including one or more TPM platform configuration registers (PCRs) (notexplicitly depicted).

Upon exiting BDS phase 212, the illustrated method determines (block230) whether a recovery resource is needed. If no recovery resource isneeded, the illustrated boot process 200 invokes BIOS 155 (FIG. 1 )extends a measurement 232 of host OS bootloader 163-2 into TPM 156. Ifthe measurement matches an expected previously determined value, theillustrated process 200 unseals (block 240) a key 242 for Host OSloader. The host OS loader key 242 unlocks an OS portion 162-1 of bootpartition 162 to enable the host to access and execute the Host OSbootloader.

If it is determined at block 230 that a recovery resource is needed, theillustrated boot process 200 invokes BIOS 155 (FIG. 1 ) to extend ameasurement 234 of recovery resource bootloader 163-2 into TPM 156,which alters the state of the TPM PCRs, precisely when recovery resourceboot loader 162-2 is accessed. If the measured platform state matches apreviously determined expected state, TPM 125 unseals a resourcerecovery bootloader key 160 that grants access to a resource recoveryportion 162-1 of NVMe boot partition 162.

In this manner, TPM 125 releases different encryption keys depending onwhich boot sequence is measured and the recovery resource portion 152 ofthe TPM storage device 150 is protected from OS access.

This disclosure encompasses all changes, substitutions, variations,alterations, and modifications to the example embodiments herein that aperson having ordinary skill in the art would comprehend. Similarly,where appropriate, the appended claims encompass all changes,substitutions, variations, alterations, and modifications to the exampleembodiments herein that a person having ordinary skill in the art wouldcomprehend. Moreover, reference in the appended claims to an apparatusor system or a component of an apparatus or system being adapted to,arranged to, capable of, configured to, enabled to, operable to, oroperative to perform a particular function encompasses that apparatus,system, or component, whether or not it or that particular function isactivated, turned on, or unlocked, as long as that apparatus, system, orcomponent is so adapted, arranged, capable, configured, enabled,operable, or operative.

All examples and conditional language recited herein are intended forpedagogical objects to aid the reader in understanding the disclosureand the concepts contributed by the inventor to furthering the art, andare construed as being without limitation to such specifically recitedexamples and conditions. Although embodiments of the present disclosurehave been described in detail, it should be understood that variouschanges, substitutions, and alterations could be made hereto withoutdeparting from the spirit and scope of the disclosure.

What is claimed is:
 1. A method, comprising: configuring an informationhandling system with a host operating system (OS) boot sequence and arecovery resource boot sequence wherein the host OS boot sequenceinvokes a host OS bootloader stored in a first part of NVMe storage andthe recovery resource boot sequence invokes a recovery resourcebootloader stored in a second part of NVMe storage; associating the hostOS boot sequence with a host OS encryption key and the recovery resourceboot sequence with a recovery resource encryption key; sealing, inaccordance with a first platform configuration register (PCR)measurement unique to the host OS boot sequence, the host OS encryptionkey; sealing, in accordance with a second PCR measurement unique to therecovery resource boot sequence, the recovery resource encryption key;responsive to detecting execution of a boot sequence, determiningwhether the boot sequence invokes the host OS bootloader or the recoveryresource bootloader; and responsive to determining that the bootsequence invokes the first host OS bootloader, authenticating the hostOS bootloader to unseal the host OS encryption key and access the firstpart of the NVMe storage to execute the host OS bootloader, whereinauthenticating the host OS bootloader includes, extending a measurementof the host OS bootloader into the PCR prior to comparing a value of thePCR with a first predetermined value; responsive to determining that theboot sequence invokes the recovery resource bootloader, authenticatingthe recovery resource bootloader to unseal the recovery resourceencryption key and access the part of the NVMe storage to execute therecovery resource bootloader wherein authenticating the recoveryresource bootloader includes, extending a measurement of the recoveryresource bootloader into the PCR prior to comparing a value of the PCRwith a second predetermined value.
 2. The method of claim 1, wherein thehost OS and recovery resource encryption keys are sealed and unsealed bya trusted platform module (TPM) of the information handling system. 3.The method of claim 2, wherein sealing the host OS encryption keycomprises sealing the host OS encryption key to a storage resource ofthe TPM.
 4. The method of claim 1, wherein at least one of the host OSand recovery resource bootloaders is stored in an NVMe boot directory.5. The method of claim 1, wherein the recovery resource authenticationkey comprises a replay protected media block (RPMB) key.
 6. The methodof claim 1, wherein the recovery resource enables BIOS to establish anetwork connection with a remote store and load from the remote storevia the network connection an image of a recovery OS.
 7. The method ofclaim 6, wherein confidential information required to establish thenetwork connection is stored in the second part of the NVMe storage. 8.An information handling system, comprising: a central processing unit;and a non-transitory computer readable medium including processorexecutable instructions for a host OS boot sequence, a recovery resourceboot sequence, and additional instructions, wherein the host OS bootsequence invokes a host OS bootloader stored in a first part of NVMestorage and the recovery resource boot sequence invokes a recoveryresource bootloader stored in a second part of the NVMe storage andwherein the additional instructions, when executed by the CPU cause thesystem to perform operations including: associating the host OS bootsequence with a host OS encryption key and the recovery resource bootsequence with a recovery resource encryption key; sealing, in accordancewith a first platform configuration register (PCR) measurement unique tothe host OS boot sequence, the host OS encryption key; sealing, inaccordance with a second PCR measurement unique to the recovery resourceboot sequence, the recovery resource encryption key; responsive todetecting execution of a boot sequence, determining whether the bootsequence invokes the host OS bootloader or the recovery resourcebootloader; and responsive to determining that the boot sequence invokesthe host OS bootloader, authenticating the host OS bootloader to unsealthe host OS encryption key and access the first part of the NVMe storageand execute the host OS bootloader, wherein authenticating the host OSbootloader includes, extending a measurement of the host OS bootloaderinto the PCR prior to comparing a value of the PCR with a firstpredetermined value; responsive to determining that the boot sequenceinvokes the recovery resource bootloader, authenticating the recoveryresource bootloader to unseal the recovery resource encryption key andaccess the second part of the NVMe storage and execute the recoveryresource bootloader wherein authenticating the recovery resourcebootloader includes, extending a measurement of the recovery resourcebootloader into the PCR prior to comparing a value of the PCR with asecond predetermined value.
 9. The information handling system of claim8, wherein the host OS and recovery resource encryption keys are sealedand unsealed by a trusted platform module of the information handlingsystem.
 10. The information handling system of claim 9, wherein sealingthe host OS encryption key comprises sealing the host OS encryption keyto a storage resource of the TPM.
 11. The information handling system ofclaim 9, wherein at least one of the host OS and recovery resourcebootloaders is configured wherein the bootloader, when executed,validates values stored in one or more platform configuration registers(PCRs) of the trusted platform module.
 12. The information handlingsystem of claim 8, wherein at least one of the host OS and recoveryresource bootloaders is stored in an NVMe boot directory.
 13. Theinformation handling system of claim 8, wherein an authentication keyfor the recovery resource bootloader is encrypted by the recoveryresource encryption key and wherein the authentication key comprises areplay protected media block (RPMB) key.
 14. The information handlingsystem of claim 8, wherein the recovery resource enables BIOS toestablish a network connection with a remote store and load from theremote store via the network connection an image of a recovery OS. 15.The information handling system of claim 14, wherein confidentialinformation required to establish the network connection is stored inthe second part of the NVMe storage.